Reddit rolls out 2FA to all its users

Reddit, the so-called “front page of the internet”, has some important news for its 250 million registered users.

You can now secure your Reddit account with two-factor authentication (2FA).

The additional layer of security has been rolled out as an option to all users following months of beta-testing.

To enable the feature, Reddit users must access their account preferences on a desktop computer, and access the password/email tab.

If you scroll down you will see a new two-factor authentication option towards the bottom of the webpage.

If you select “Click to enable”, you will be asked to confirm your email address and password. With that done, Reddit will present you with a dialog familiar to anyone who has enabled 2FA on one of their online accounts before – suggesting you scan a QR code into the authentication app of your choice that supports the Time-based One-Time Password (TOTP) protocol.

After you have scanned the code, and entered a verification code generated by your app, you’re all done. Your Reddit account is now protected by two-factor authentication (although the site does recommend that you generate some emergency backup codes in the event of losing access to your authentication app).

From now on you’ll be required to enter a six-digit code when logging into the site, as well as your password.

Furthermore, in its current implementation, Reddit’s 2FA requires users to enter a six-digit code generated by their authentication app every time they log into their account. Although that might be great from the security point of view, I suspect many users will find that annoying – and would prefer if Reddit would remember trusted devices (if only for 30 days or so), and demand instead that anyone logging in from an untrusted device has to jump the authentication hurdle.

Still, it feels wrong to be churlish. This is a definite step in the right direction. Well done Reddit – let’s hope that Reddit users enable the feature.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.